Let's Encrypt 的中级证书

Let's Encrypt 的中级证书

我已经在我的服务器上设置了 Let's Encrypt 加密,然后在同一台服务器(ubuntu server 16.04 with nginx)上设置邮件服务器(dovecot 和 postfix)的教程。在此过程中,我还为该域创建了两个电子邮件地址,我希望通过邮件客户端 Mail 使用这些地址。但是,我收到错误“无法验证帐户名或密码”,然后http://www.checktls.com/perl/TestReceiver.pl我收到以下错误:

[001.075]       Cert NOT VALIDATED: unable to get local issuer certificate
[001.075]       this may help: What Is An Intermediate Certificate
[001.075]       So email is encrypted but the domain is not verified
[001.075]   ssl : scheme=ldap cert=140396633026752
: identity=mail.mysite.com cn=mysite.com alt=2 mysite.com 2 www.mysite.com
[001.075]       Cert Hostname DOES NOT VERIFY (mail.mysite.com != mysite.com)
[001.076]       So email is encrypted but the host is not verified

完整报告:

seconds     test stage and result
[000.123]       Connected to server
[000.437]   <-- 220 ubuntu-512mb-fra1-01.mysite.com ESMTP Postfix (Ubuntu)
[000.437]       We are allowed to connect
[000.438]   --> EHLO checktls.com
[000.558]   <-- 250-ubuntu-512mb-fra1-01.mysite.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[000.558]       We can use this server
[000.559]       TLS is an option on this server
[000.559]   --> STARTTLS
[000.679]   <-- 220 2.0.0 Ready to start TLS
[000.680]       STARTTLS command works on this server
[000.947]   ssl : new ctx 140396633279344
: start handshake
: ssl handshake not started
: not using SNI because hostname is unknown
: set socket to non-blocking to enforce timeout=30
: call Net::SSLeay::connect
: done Net::SSLeay::connect -> -1
: ssl handshake in progress
: waiting for fd to become ready: SSL wants a read first
: socket ready, retrying connect
: call Net::SSLeay::connect
: ok=0 [0] /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3/CN=mysite.com
: ok=0 [0] /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3/CN=mysite.com
: ok=0 [0] /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3/CN=mysite.com
: done Net::SSLeay::connect -> -1
: ssl handshake in progress
: waiting for fd to become ready: SSL wants a read first
: socket ready, retrying connect
: call Net::SSLeay::connect
: done Net::SSLeay::connect -> 1
: ssl handshake done
[000.949]       SSLVersion in use: TLSv1.2
[000.949]       Cipher in use: ECDHE-RSA-AES128-SHA256
[000.950]       Connection converted to SSL
[000.979]       
Certificate 1 of 3 in chain:
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      03:bf:0b:67:c3:bd:f6:98:ed:66:b4:86:11:5c:44:22:e2:1b
  Signature Algorithm: sha256WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Let's Encrypt
      commonName        = Let's Encrypt Authority X3
    Validity
      Not Before: Oct 29 10:33:00 2016 GMT
      Not After : Jan 27 10:33:00 2017 GMT
    Subject:
      commonName        = mysite.com
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (2048 bit)
        Modulus:
          00:dd:1e:5b:b8:0e:b6:06:f3:b5:8d:55:42:b8:d1:
          f5:91:fd:74:03:f5:f5:5d:6e:8d:84:47:19:d7:28:
          77:3d:47:33:50:bd:70:7a:bf:bf:97:fe:9a:bb:af:
          31:71:db:d5:8b:dc:5a:22:11:4a:b9:c0:c7:2c:ba:
          22:11:52:3d:f8:35:0b:f3:d8:f5:c5:a3:5d:0f:70:
          df:d6:02:38:dd:a7:43:22:b2:ae:96:7a:a6:17:de:
          70:89:e3:74:16:c6:ee:eb:04:37:99:44:f0:2c:10:
          95:21:20:75:f9:b3:c8:d2:4a:c0:04:97:6d:fa:82:
          10:a5:e7:9a:37:82:95:99:e3:d4:c2:65:1a:d0:60:
          ef:18:8a:39:6c:0a:13:9e:00:a4:bd:57:03:55:ea:
          11:33:61:29:41:99:32:9b:85:7d:76:b8:b3:99:46:
          75:33:bf:de:10:52:ce:32:69:9a:36:3d:8b:5b:d1:
          67:ff:66:ef:43:ea:8f:07:77:41:55:f5:f6:ba:6d:
          e2:8f:4e:04:e4:c7:f1:fe:3b:6c:9c:8c:b2:b5:a8:
          24:57:c8:50:eb:37:6c:ea:a4:59:d5:17:dd:31:c3:
          ee:16:df:a4:3a:56:25:ea:38:3c:ab:d2:7f:2b:73:
          7d:2e:d5:ca:ff:b9:e7:d2:d3:18:6b:60:14:f9:e8:
          03:45
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
      X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 Subject Key Identifier: 
        D9:81:23:A5:47:07:33:95:ED:67:F4:1C:79:48:64:EF:64:93:31:96
      X509v3 Authority Key Identifier: 
        keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
      Authority Information Access: 
        OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
        CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
      X509v3 Subject Alternative Name: 
        DNS:mysite.com, DNS:www.mysite.com
      X509v3 Certificate Policies: 
        Policy: 2.23.140.1.2.1
        Policy: 1.3.6.1.4.1.44947.1.1.1
          CPS: http://cps.letsencrypt.org
          User Notice:
          Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
  Signature Algorithm: sha256WithRSAEncryption
     75:54:a8:af:38:1e:79:64:5c:89:b7:43:5f:81:fd:20:cf:83:
     41:f4:f3:4c:53:45:5c:4b:4f:52:41:22:59:76:14:eb:41:30:
     46:d2:2a:0e:e3:f8:0a:5b:03:fb:a1:77:b5:95:05:b9:cd:2e:
     4a:d7:10:c1:d4:5d:fc:92:fa:30:c3:52:e4:35:02:f8:aa:c2:
     ea:9a:a5:81:9f:1e:82:ae:d4:0f:d1:ff:ab:a2:56:66:3c:7d:
     6c:55:87:c3:88:73:03:1a:c3:35:50:0a:7c:5d:c2:e6:fe:85:
     80:29:8b:57:a2:42:4f:db:b9:d0:2e:5f:27:fb:11:bb:cf:86:
     d5:97:17:2d:80:85:11:a1:27:c8:b9:98:fd:3c:a0:6d:d8:b9:
     54:28:1c:70:ea:6c:04:bd:01:26:0c:ac:05:7d:0e:8b:cf:30:
     10:a3:06:fa:62:86:35:a4:85:bb:c8:bc:c1:d7:b1:24:a4:95:
     cb:9b:51:88:62:02:42:d0:43:b4:85:59:57:2c:19:4c:29:6c:
     56:5b:f5:8d:b2:08:29:05:b1:61:5a:4b:91:dc:d0:51:8b:a8:
     31:dc:ee:84:0a:e6:2f:84:eb:8a:f8:db:b7:ba:40:ce:12:5a:
     af:c3:26:a3:27:d2:c1:d6:48:80:d2:2a:dc:82:70:8c:0e:04:
     36:7e:d3:1e
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x
NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH
Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w
39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn
mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS
zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk
WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w
ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B
/SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS
+jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp
i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9
DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF
sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+
0x4=
-----END CERTIFICATE-----                                                                                                                      
[001.005]       
Certificate 2 of 3 in chain:
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      03:bf:0b:67:c3:bd:f6:98:ed:66:b4:86:11:5c:44:22:e2:1b
  Signature Algorithm: sha256WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Let's Encrypt
      commonName        = Let's Encrypt Authority X3
    Validity
      Not Before: Oct 29 10:33:00 2016 GMT
      Not After : Jan 27 10:33:00 2017 GMT
    Subject:
      commonName        = mysite.com
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (2048 bit)
        Modulus:
          00:dd:1e:5b:b8:0e:b6:06:f3:b5:8d:55:42:b8:d1:
          f5:91:fd:74:03:f5:f5:5d:6e:8d:84:47:19:d7:28:
          77:3d:47:33:50:bd:70:7a:bf:bf:97:fe:9a:bb:af:
          31:71:db:d5:8b:dc:5a:22:11:4a:b9:c0:c7:2c:ba:
          22:11:52:3d:f8:35:0b:f3:d8:f5:c5:a3:5d:0f:70:
          df:d6:02:38:dd:a7:43:22:b2:ae:96:7a:a6:17:de:
          70:89:e3:74:16:c6:ee:eb:04:37:99:44:f0:2c:10:
          95:21:20:75:f9:b3:c8:d2:4a:c0:04:97:6d:fa:82:
          10:a5:e7:9a:37:82:95:99:e3:d4:c2:65:1a:d0:60:
          ef:18:8a:39:6c:0a:13:9e:00:a4:bd:57:03:55:ea:
          11:33:61:29:41:99:32:9b:85:7d:76:b8:b3:99:46:
          75:33:bf:de:10:52:ce:32:69:9a:36:3d:8b:5b:d1:
          67:ff:66:ef:43:ea:8f:07:77:41:55:f5:f6:ba:6d:
          e2:8f:4e:04:e4:c7:f1:fe:3b:6c:9c:8c:b2:b5:a8:
          24:57:c8:50:eb:37:6c:ea:a4:59:d5:17:dd:31:c3:
          ee:16:df:a4:3a:56:25:ea:38:3c:ab:d2:7f:2b:73:
          7d:2e:d5:ca:ff:b9:e7:d2:d3:18:6b:60:14:f9:e8:
          03:45
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
      X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 Subject Key Identifier: 
        D9:81:23:A5:47:07:33:95:ED:67:F4:1C:79:48:64:EF:64:93:31:96
      X509v3 Authority Key Identifier: 
        keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
      Authority Information Access: 
        OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
        CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
      X509v3 Subject Alternative Name: 
        DNS:mysite.com, DNS:www.mysite.com
      X509v3 Certificate Policies: 
        Policy: 2.23.140.1.2.1
        Policy: 1.3.6.1.4.1.44947.1.1.1
          CPS: http://cps.letsencrypt.org
          User Notice:
          Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
  Signature Algorithm: sha256WithRSAEncryption
     75:54:a8:af:38:1e:79:64:5c:89:b7:43:5f:81:fd:20:cf:83:
     41:f4:f3:4c:53:45:5c:4b:4f:52:41:22:59:76:14:eb:41:30:
     46:d2:2a:0e:e3:f8:0a:5b:03:fb:a1:77:b5:95:05:b9:cd:2e:
     4a:d7:10:c1:d4:5d:fc:92:fa:30:c3:52:e4:35:02:f8:aa:c2:
     ea:9a:a5:81:9f:1e:82:ae:d4:0f:d1:ff:ab:a2:56:66:3c:7d:
     6c:55:87:c3:88:73:03:1a:c3:35:50:0a:7c:5d:c2:e6:fe:85:
     80:29:8b:57:a2:42:4f:db:b9:d0:2e:5f:27:fb:11:bb:cf:86:
     d5:97:17:2d:80:85:11:a1:27:c8:b9:98:fd:3c:a0:6d:d8:b9:
     54:28:1c:70:ea:6c:04:bd:01:26:0c:ac:05:7d:0e:8b:cf:30:
     10:a3:06:fa:62:86:35:a4:85:bb:c8:bc:c1:d7:b1:24:a4:95:
     cb:9b:51:88:62:02:42:d0:43:b4:85:59:57:2c:19:4c:29:6c:
     56:5b:f5:8d:b2:08:29:05:b1:61:5a:4b:91:dc:d0:51:8b:a8:
     31:dc:ee:84:0a:e6:2f:84:eb:8a:f8:db:b7:ba:40:ce:12:5a:
     af:c3:26:a3:27:d2:c1:d6:48:80:d2:2a:dc:82:70:8c:0e:04:
     36:7e:d3:1e
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x
NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH
Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w
39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn
mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS
zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk
WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w
ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B
/SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS
+jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp
i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9
DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF
sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+
0x4=
-----END CERTIFICATE-----                                                                                                                        
[001.074]       
Certificate 3 of 3 in chain:
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      03:bf:0b:67:c3:bd:f6:98:ed:66:b4:86:11:5c:44:22:e2:1b
  Signature Algorithm: sha256WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Let's Encrypt
      commonName        = Let's Encrypt Authority X3
    Validity
      Not Before: Oct 29 10:33:00 2016 GMT
      Not After : Jan 27 10:33:00 2017 GMT
    Subject:
      commonName        = mysite.com
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (2048 bit)
        Modulus:
          00:dd:1e:5b:b8:0e:b6:06:f3:b5:8d:55:42:b8:d1:
          f5:91:fd:74:03:f5:f5:5d:6e:8d:84:47:19:d7:28:
          77:3d:47:33:50:bd:70:7a:bf:bf:97:fe:9a:bb:af:
          31:71:db:d5:8b:dc:5a:22:11:4a:b9:c0:c7:2c:ba:
          22:11:52:3d:f8:35:0b:f3:d8:f5:c5:a3:5d:0f:70:
          df:d6:02:38:dd:a7:43:22:b2:ae:96:7a:a6:17:de:
          70:89:e3:74:16:c6:ee:eb:04:37:99:44:f0:2c:10:
          95:21:20:75:f9:b3:c8:d2:4a:c0:04:97:6d:fa:82:
          10:a5:e7:9a:37:82:95:99:e3:d4:c2:65:1a:d0:60:
          ef:18:8a:39:6c:0a:13:9e:00:a4:bd:57:03:55:ea:
          11:33:61:29:41:99:32:9b:85:7d:76:b8:b3:99:46:
          75:33:bf:de:10:52:ce:32:69:9a:36:3d:8b:5b:d1:
          67:ff:66:ef:43:ea:8f:07:77:41:55:f5:f6:ba:6d:
          e2:8f:4e:04:e4:c7:f1:fe:3b:6c:9c:8c:b2:b5:a8:
          24:57:c8:50:eb:37:6c:ea:a4:59:d5:17:dd:31:c3:
          ee:16:df:a4:3a:56:25:ea:38:3c:ab:d2:7f:2b:73:
          7d:2e:d5:ca:ff:b9:e7:d2:d3:18:6b:60:14:f9:e8:
          03:45
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
      X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 Subject Key Identifier: 
        D9:81:23:A5:47:07:33:95:ED:67:F4:1C:79:48:64:EF:64:93:31:96
      X509v3 Authority Key Identifier: 
        keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
      Authority Information Access: 
        OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
        CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
      X509v3 Subject Alternative Name: 
        DNS:mysite.com, DNS:www.mysite.com
      X509v3 Certificate Policies: 
        Policy: 2.23.140.1.2.1
        Policy: 1.3.6.1.4.1.44947.1.1.1
          CPS: http://cps.letsencrypt.org
          User Notice:
          Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
  Signature Algorithm: sha256WithRSAEncryption
     75:54:a8:af:38:1e:79:64:5c:89:b7:43:5f:81:fd:20:cf:83:
     41:f4:f3:4c:53:45:5c:4b:4f:52:41:22:59:76:14:eb:41:30:
     46:d2:2a:0e:e3:f8:0a:5b:03:fb:a1:77:b5:95:05:b9:cd:2e:
     4a:d7:10:c1:d4:5d:fc:92:fa:30:c3:52:e4:35:02:f8:aa:c2:
     ea:9a:a5:81:9f:1e:82:ae:d4:0f:d1:ff:ab:a2:56:66:3c:7d:
     6c:55:87:c3:88:73:03:1a:c3:35:50:0a:7c:5d:c2:e6:fe:85:
     80:29:8b:57:a2:42:4f:db:b9:d0:2e:5f:27:fb:11:bb:cf:86:
     d5:97:17:2d:80:85:11:a1:27:c8:b9:98:fd:3c:a0:6d:d8:b9:
     54:28:1c:70:ea:6c:04:bd:01:26:0c:ac:05:7d:0e:8b:cf:30:
     10:a3:06:fa:62:86:35:a4:85:bb:c8:bc:c1:d7:b1:24:a4:95:
     cb:9b:51:88:62:02:42:d0:43:b4:85:59:57:2c:19:4c:29:6c:
     56:5b:f5:8d:b2:08:29:05:b1:61:5a:4b:91:dc:d0:51:8b:a8:
     31:dc:ee:84:0a:e6:2f:84:eb:8a:f8:db:b7:ba:40:ce:12:5a:
     af:c3:26:a3:27:d2:c1:d6:48:80:d2:2a:dc:82:70:8c:0e:04:
     36:7e:d3:1e
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x
NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH
Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w
39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn
mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS
zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk
WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w
ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B
/SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS
+jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp
i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9
DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF
sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+
0x4=
-----END CERTIFICATE-----                                                                                                                          
[001.075]       Cert NOT VALIDATED: unable to get local issuer certificate
[001.075]       this may help: What Is An Intermediate Certificate
[001.075]       So email is encrypted but the domain is not verified
[001.075]   ssl : scheme=ldap cert=140396633026752
: identity=mail.mysite.com cn=mysite.com alt=2 mysite.com 2 www.mysite.com
[001.075]       Cert Hostname DOES NOT VERIFY (mail.mysite.com != mysite.com)
[001.076]       So email is encrypted but the host is not verified
[001.076]   ~~> EHLO checktls.com
[001.077]   ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554.
partial `EHLO checktls.com
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557.
written so far 19:19 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676.
[001.197]   <~~ 250-ubuntu-512mb-fra1-01.mysite.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[001.198]       TLS successfully started on this server
[001.198]   ~~> MAIL FROM:<[email protected]>
[001.199]   ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554.
partial `MAIL FROM: 
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557.
written so far 31:31 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676.
[001.332]   <~~ 250 2.1.0 Ok
[001.333]       Sender is OK
[001.333]   ~~> RCPT TO:<[email protected]>
[001.335]   ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554.
partial `RCPT TO: 
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557.
written so far 31:31 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676.
[001.470]   <~~ 250 2.1.5 Ok
[001.471]       Recipient OK, E-mail address proofed
[001.471]   ~~> QUIT
[001.473]   ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554.
partial `QUIT
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557.
written so far 6:6 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676.
[001.592]   <~~ 221 2.0.0 Bye
[001.595]   ssl : free ctx 140396633279344 open=140396633279344
: free ctx 140396633279344 callback

据我所知,问题出在证书的实施上。我可以采取哪些步骤来解决这个问题?

答案1

看着

由于主机名未知,因此不使用 SNI

之后看到测试连接的主机名

ubuntu-512mb-fra1-01.mysite.com

commonName = mysite.com

**X509v3 Subject Alternative Name: 
    DNS:mysite.com, DNS:www.mysite.com** 

....我注意到:CN 和连接服务器主机名不同,并且

第二链中的所有证书都是相同的

     -----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x
NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH
Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w
39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn
mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS
zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk
WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w
ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B
/SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS
+jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp
i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9
DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF
sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+
0x4=
-----END CERTIFICATE-----

这就是验证失败的原因。

答案2

我的主机名是 vegas,我使用 LE 证书如下:

向 LE 请求证书:

/opt/letsencrypt/letsencrypt-auto certonly --agree-tos --email [email protected] --keep-until-expiring --webroot -w /usr/share/nginx/html --rsa-key-size 4096 -d vegas.jacobdevans.com --renew-by-default

内容/etc/postfix/main.cf | grep vegas

smtp_tls_cert_file = /etc/letsencrypt/live/vegas.jacobdevans.com/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/vegas.jacobdevans.com/privkey.pem

Postfix 不支持 SNI(仅限 https),因此我会为您的 mta 专门指定一个主机名或将其添加到 SANs 证书。

始终使用 fullchain.pem。

相关内容